Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →Proposed CPPA Regulations on Cybersecurity, Risk Assessments, and Automated Decision-Making Technologies
Issued by
California Privacy Protection Agency
The California Privacy Protection Agency Board finalized proposed rules in May 2025 covering cybersecurity audits, privacy risk assessments, and the use of automated decision-making technologies. The rules would apply to businesses that process personal data in ways that pose significant risks to consumers or that use automated systems to make consequential decisions. If adopted, they would impose new opt-out rights for consumers and mandatory assessment obligations on covered businesses.
Applies To
Overview
These proposed regulations, advanced by the CPPA Board in May 2025, represent the most detailed rulemaking to date under the California Consumer Privacy Act as amended by the California Privacy Rights Act. The rules establish requirements in three interconnected areas: cybersecurity audits for high-risk data processing activities, formal privacy risk assessments before undertaking certain data practices, and consumer-facing obligations tied to the deployment of automated decision-making technologies. ADMT provisions would require covered businesses to provide consumers with the right to opt out of automated decisions affecting access to employment, credit, education, housing, and other significant domains. Risk assessment provisions mandate documented pre-deployment analysis weighing business benefits against potential harms to consumers. The CPPA retains enforcement authority under the CPRA, including civil penalties of up to $7,500 per intentional violation, and the proposed rules are subject to a formal administrative adoption process before taking legal effect.
Key Requirements
- •Conduct and document privacy risk assessments before initiating data processing activities that present significant risk to consumers, including profiling and large-scale processing of sensitive data.
- •Provide consumers with a clear opt-out mechanism for the use of automated decision-making technologies in consequential decisions affecting employment, credit, housing, education, and healthcare, among other domains.
- •Implement and maintain a cybersecurity audit program proportionate to the volume and sensitivity of personal data processed, with audit results subject to submission to the CPPA upon request.
- •Disclose to consumers when ADMT is being used to make or substantially influence a decision that affects them, including the logic involved and the categories of data used.
- •Retain documentation of risk assessments and make them available to the CPPA as part of any enforcement investigation; no specific retention period is yet codified but multi-year retention is anticipated.
- •Civil penalties for intentional violations may reach $7,500 per violation under existing CPRA enforcement authority.
What Your Organization Must Do
- →Audit all automated systems currently in use that influence consumer-facing decisions and determine which fall within the proposed ADMT definitions before the rules are finalized.
- →Map existing data processing activities against the risk assessment trigger criteria to identify which workflows will require documented pre-deployment assessments.
- →Design and implement a consumer-facing opt-out mechanism for ADMT that can be activated quickly once the rules take effect, avoiding a build-from-scratch crunch after adoption.
- →Update privacy notices to disclose ADMT use, the categories of data involved, and the nature of decisions being influenced, consistent with the proposed transparency requirements.
- →Establish or expand a cybersecurity audit program that is documented, repeatable, and capable of producing records responsive to a CPPA inquiry.
- →Engage legal counsel to monitor the administrative rulemaking timeline and submit comments during any remaining public comment window to protect operational interests.
